Re: IPSEC Security Gateways & NAT

["jshukla" <jshukla@earthlink.net>]

----- Original Message ----- 
From: "Derek Atkins" <warlord@mit.edu>
> > HASH_I = pfr(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b)
> 
> Um, I don't see anything here that necessarily depends upon the IP
> Address of either Initiator or Responder.  Perhaps I am being dense,
> but could you please point out the specific term to which you refer?
> Keep in mind that the ID term is **NOT** necessarily tied to the IP
> Address, as you can use many types of ID (such as FQDN) that are
> "movable".
> 

Isn't there a problem in using pre-shared keys for authentication in 
the main mode? The responder uses the IP address to look up the
pre-shared key. Because of NAT, it may not be able to look up the
correct pre-shared key?! If you use aggressive mode, you can overcome
this problem, but the authors of ESPinUSP proposal use the main 
mode in their example.

regards,
Jayant

---

Follow-Ups:

• Re: IPSEC Security Gateways & NAT
• From: Derek Atkins <warlord@mit.edu>

References:

• RE: IPSEC Security Gateways & NAT
• From: "Chen, David" <dchen@ellacoya.com>
• Re: IPSEC Security Gateways & NAT
• From: Derek Atkins <warlord@mit.edu>
• Re: IPSEC Security Gateways & NAT
• From: "jshukla" <jshukla@earthlink.net>
• Re: IPSEC Security Gateways & NAT
• From: Derek Atkins <warlord@mit.edu>

---

• Prev by Date: Re: IPSEC Security Gateways & NAT
• Next by Date: RE: IPSEC Security Gateways & NAT
• Prev by thread: Re: IPSEC Security Gateways & NAT
• Next by thread: Re: IPSEC Security Gateways & NAT
• Index(es):
  • Main
  • Thread